Chapter 12
Tunneling and VPNs
RUGGEDCOM ROX II
CLI User Guide
420 Managing Private Subnets
Parameter Description
type { type } Synopsis: { default, default-route, address }
Default: default
The next hop type. The default value is 'right side public-ip' unless overwritten by the
default connection setting.
value { value } Synopsis: A string 7 to 15 characters long
The IP address of the next hop that can be used to reach the destination network.
7. Configure the Network Address Translation (NAT) traversal negotiation method by configuring the following
parameters:
NOTE
Using the RFC 3947 negotiation method over draft-ietf-ipsec-nat-t-ike-02 may cause issues when
connecting to the IPsec server, as RFC 3947 uses different identifiers when NAT is involved. For
example, when a Windows XP/2003 client connects, Libreswan reports the main mode peer ID
as ID_FQDN: '@example.com'. However, when a Vista, Windows 7 or other RFC 3947 compliant
client connects, Libreswan reports the main mode peer ID as ID_IPV4_ADDR: '192.168.1.1'. If
possible, use the draft-ietf-ipsec-nat-t-ike-02 method to avoid this issue.
Parameter Description
nat-traversal-negotiation { nat-traversal-
negotiation }
Synopsis: { default, draft-ietf-ipsec-nat-t-ike-02, rfc-3947 }
Default: default
The NAT traversal negotiation method. Some IPsec endpoints prefer RFC 3947 over
draft-ietf-ipsec-nat-t-ike-02 when connecting with Libreswan, as these implementations
use different identifiers when NAT is involved. For example, when a Windows XP/2003
client connects, Libreswan reports the main mode peer ID is ID_FQDN: '@example.com',
but when a Vista, Windows 7 or other RFC 3947 compliant client connects, Libreswan
reports the main mode peer ID is ID_IPV4_ADDR: '192.168.1.1'. This will cause issues
connecting to the IPsec server. In such cases, setting this option to draft-ietf-ipsec-nat-
t-ike-02 will solve this problem. The default value is 'rfc-3947' unless overwritten by the
default connection setting.
8. If required, configure a subnet for the connection end. For more information, refer to Section12.8.10.3,
“Adding an Address for a Private Subnet”.
9. Type commit and press Enter to save the changes, or type revert and press Enter to abort.
Section12.8.10
Managing Private Subnets
If the device is connected to an internal, private subnet, access to the subnet can be granted to the device at the
other end of the IPsec tunnel. Only the IP address and mask of the private subnet is required.
CONTENTS
• Section12.8.10.1, “Configuring Private Subnets for Connection Ends”
• Section12.8.10.2, “Viewing a List of Addresses for Private Subnets”
• Section12.8.10.3, “Adding an Address for a Private Subnet”
• Section12.8.10.4, “Deleting an Address for a Private Subnet”
To Next Page
Loading...
Need help?
General
